Windows Hyper-V Elevation of Privilege Vulnerability

Plan PatchCVSS 9.3CVE-2026-40402May 12, 2026

Microsoft

IT in OT - Windows Server and Active Directory are widely deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A use-after-free memory vulnerability in Windows Hyper-V allows a local attacker without administrative credentials to elevate privileges on the host system. The vulnerability affects Windows Server 2022 and Windows 11 Version 23H2 systems where Hyper-V is installed or enabled. Exploitation requires local user account access but no special credentials or user interaction.

What this means

What could happen

An attacker with local access to a Windows Server or Windows 11 system running Hyper-V could escalate privileges to gain full control of the host machine and all virtual machines running on it, potentially disrupting critical operations.

Who's at risk

Water authorities and utilities using Windows Server 2022 or Windows 11 systems as Hyper-V hosts should care about this vulnerability. This affects servers hosting virtual machines that run SCADA systems, HMIs, data collection systems, or other critical operational technology workloads. Hyper-V hosts are common in modern utilities for consolidating multiple critical systems.

How it could be exploited

An attacker with a local account on a Windows Server or Windows 11 system could exploit a memory management flaw in Hyper-V to elevate privileges without requiring administrator credentials. Once elevated, the attacker could access or modify virtual machines and their configurations.

Prerequisites

Local user account on the affected Windows Server or Windows 11 system
Hyper-V role or feature enabled on the system

No authentication required for local exploitationLow complexity attackAffects host and all hosted virtual machinesHyper-V is common in enterprise IT environments supporting OT systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Windows Server 2022All versionsBuild 10.0.20348.5139

Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.5139

Windows 11 Version 23H2 for ARM64-based SystemsAll versionsBuild 10.0.22631.7079

Windows 11 Version 23H2 for x64-based SystemsAll versionsBuild 10.0.22631.7079

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Windows Server 2022

HOTFIXApply the 2026-May security update to Windows Server 2022 (Build 10.0.20348.5139 or later)

All products

HOTFIXApply the 2026-May security update to Windows 11 Version 23H2 (Build 10.0.22631.7079 or later)

Long-term hardening

0/1

HARDENINGRestrict local logon access on systems running Hyper-V to only authorized administrators

CVEs (1)

CVE-2026-40402

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2d3352c8-8c09-4150-94ed-7abbca8e600c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.